From e890eb244af82ba678e894a84983db5057fbb60a Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 14 Feb 2016 13:26:37 +0100
Subject: krebs.setuid: init

---
 krebs/3modules/setuid.nix | 75 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100644 krebs/3modules/setuid.nix

(limited to 'krebs/3modules/setuid.nix')

diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
new file mode 100644
index 00000000..22123c92
--- /dev/null
+++ b/krebs/3modules/setuid.nix
@@ -0,0 +1,75 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.krebs.setuid;
+
+  out = {
+    options.krebs.setuid = api;
+    config = imp;
+  };
+
+  api = mkOption {
+    default = {};
+    type = let
+      # TODO make wrapperDir configurable
+      inherit (config.security) wrapperDir;
+      inherit (config.users) groups users;
+    in types.attrsOf (types.submodule ({ config, ... }: {
+      options = {
+        name = mkOption {
+          type = types.filename;
+          default = config._module.args.name;
+        };
+        filename = mkOption {
+          type = mkOptionType {
+            # TODO unyuck string and merge with toC
+            name = "derivation or string";
+            check = x:
+              isDerivation x ||
+              isString x;
+          };
+          apply = toString;
+        };
+        owner = mkOption {
+          default = "root";
+          type = types.enum (attrNames users);
+        };
+        group = mkOption {
+          default = "root";
+          type = types.enum (attrNames groups);
+        };
+        mode = mkOption {
+          default = "4710";
+          type = mkOptionType {
+            # TODO admit symbolic mode
+            name = "octal mode";
+            check = x:
+              isString x &&
+              match "[0-7][0-7][0-7][0-7]" x != null;
+          };
+        };
+        activate = mkOption {
+          type = types.str;
+          visible = false;
+          readOnly = true;
+        };
+      };
+      config.activate = let
+        src = pkgs.execve config.name {
+          inherit (config) filename;
+        };
+        dst = "${wrapperDir}/${config.name}";
+      in ''
+        cp ${src} ${dst}
+        chown ${config.owner}.${config.group} ${dst}
+        chmod ${config.mode} ${dst}
+      '';
+    }));
+  };
+
+  imp = {
+    system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ]
+      (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
+  };
+
+in out
-- 
cgit v1.2.3